The web has been humming with talk this week – talk, concern, worry and general shpilkes – about Internet security. There’s good reason: not only are there renewed questions about just which hacker group is responsible for what cyber-attack, but the rate and severity of computer hacks appear to be escalating rapidly. In the last week alone the governments of Brazil, Antigua, Australia and Zimbabwe have all been hit hard, with secure and private information literally pouring out onto the web. “Anonymous” on Tuesday declared ‘war’ on the city of Orlando, going as far as dressing Mickey Mouse up in the “Guy Fawkes” mask of AnonOps. One day later the newly formed hacker group “AntiSec” targeted the major media firms Universal Music and Viacom, while also returning to an earlier hack – the Arizona Department of Public Safety – only this time with a new document dump of sensitive information. It seems no-one is immune: even singer Amy Winehouse’s website was defaced Friday by a group calling itself “SwagSec”, which vows to “…take back the Internet from the white devil.”
Below are several stories we found online this week: none of them specifically concerning the Lulz-Anti-Anonymous-Swag-Sec tangle, but all that still raise serious questions of web privacy and security.
#1: People Are “Idiots”? The security-savvy Bruce Schneier was irked this week by a story he thinks we’ve seen far too much, and yet somehow are never able to arrive at the appropriate conclusion. Namely: the US Department of Homeland Security recently ran a security test, distributing USB memory sticks in the parking lots of federal work sites. The study found that 60% of employees who picked up the sticks plugged them into their (presumably secure) government computers – and that number went up to 90% if the stick had “an official logo” on it. Speaking with Bloomberg News, Mark Rasch of the computer security firm Computer Sciences Corp responded to the study by saying:
“There’s no device known to mankind that will prevent people from being idiots.”
“This is not the right response,” chides Schneier. “Of course people plugged in UBS sticks and computer disks. It’s like ’75% of people who picked up a discarded newspaper on the bus read it.’ What else are people supposed to do with them?” As for Rasch’s characterization of people as ‘idiots’, Schneier was particularly cross:
“Maybe it would be if the response if 60% of people tried to play the USB sticks like ocarinas, or tried to make omelettes out of the computer disks. But not if they plugged them into their computers. That’s what they’re for.
“People get USB sticks all the time. The problem isn’t that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good. The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn’t safe to plug a USB stick into a computer.”
In short: people will probably always put memory sticks where they shouldn’t. Software should be smart enough to stop them when they shouldn’t.
#2: The School for Cyber-War: The virtual border between North and South Korea is nearly as much a conflict zone as is the real, physical DMZ that cuts the Korean peninsula in half. For years the two nations have employed electronic espionage and sabotage against one another, despite the North’s relatively think Internet infrastructure. Just last month Seoul accused the North Korean army of launching a cyber-attack on a major South Korean bank, paralyzing its operations (the North has denied this accusation) while the Seoul continues to prosecute any South Koreans who view electronic communications from the North – including via Facebook, Twitter, YouTube and other websites.
It’s long been rumored the North Korean army has a separate division of elite hackers to probe the South for weaknesses. Now it’s South Korea’s turn. The Times of South Africa reports:
“The (South Korean) army has teamed up with Korea University to open in 2012 the new cyber-defence school, which will admit 30 students a year for a four-year course. Courses include how to break malicious Internet codes, ways to psychologically prepare for cyber warfare and other IT technologies to guard against potential attacks, an army spokesman told AFP. The military will pay tuition for the students who upon graduation will become army officers required to work in online warfare-related units for the following seven years.”
Said the South Korean army in a statement: “We… seek to nurture warriors to fight in cyber warfare amid growing cyber-terror threats from North Korea and to secure a stable supply of specialists.”
No doubt a sign of more skirmishes to come on the Korean peninsula.
#3: Giving Away Secrets: The Google Corporation likes to say that “transparency is a core value.” It’s a good public relations phrase, but also the motivation behind the “Google Transparency Report” – a detailed accounting of every governmental request received by Google for specific information or actions – such as removing an offending page or file. The report also details how Google responded, in addition to providing other tools – such as a real-time monitor of Google traffic from any nation, so as to measure how much censorship or restrictions any government is applying.
It’s a useful tool and admirable idea – but it can also reveal some embarrassing data. Specifically, in the most recent report the United States ranks as the single highest requester of removal, and one of the highest for information. More troubling, with 54 removal requests – 87% fully or partially complied with – and 4,601 removal requests with at 94% compliance rate, the U.S has the highest rates of positive response from Google.
Compare, for example, the data from India: 67 removal requests at 22% fully or partially complied with, and 1699 data requests with a 79% full or partial compliance rate. In Turkey – not a nation known for it’s Internet freedoms – there were just 6 removal requests, all complied with, and 45 data requests, none of which were. Norway and Denmark, unsurprisingly had fewer than 10 requests, but so, too, did Vietnam and Panama.
Expect this report to add even more fuel to organizations such as the Electronic Frontier Foundation and Electronic Privacy Information Center demanding greater protections for individuals against prying governments.
#4: Who’s the Biggest Cyber Threat? (Hint: It’s Not China.) Even before the Google and Adobe corporations (and some U.S. officials) began pointing fingers at China for a major, serious data hack of two years back, cyber-security analysts have watched with concern at the level of malicious Internet activity coming from China. Beijing has staunchly denied ever supporting hackers to probe other governments, corporations, or opponents for secure information. That, however, seems at odds with hacking patterns – for example a hack against Google just this month that originated in Jinan – a Chinese military command center.
But cyber-security analyst (and author of the book “Inside Cyber Warfare“) Jeffrey Carr thinks there’s an even larger threat on the net that’s being ignored: Russia. He lists seven reasons why Russia, not China, should be considered “the world’s most dangerous cyber-adversary.” Among those reasons are:
1. Russia is the only nation that has engaged in a military action with a cyber warfare component: The Russia-Georgia War of August, 2008.
2. Russia is the only nation that has engaged in a cyber attack which crippled components of an entire nation’s critical infrastructure sporadically over a three week period: The Estonia Cyber Attacks 2007
3. Russia’s Prime Minister formerly ran industrial espionage operations for the KGB and still considers such operations an asset to the country.
4. Russia has built a parallel military and civilian information warfare infrastructure that it actively uses against internal and external adversaries. For example, the Federal Security Service’s 16th Directorate which is responsible for the interception, decryption, and processing of communications has been recently been identified as Military unit (VCH) 71330.
Other reasons include the Kremlin’s support of the Nashi youth-group and what Carr calls the ultimate measure: the fact that Russian cyber-attacks are rarely discovered or pinpointed (unlike, say, China), which he calls “the true measure of a successful op(eration).”
- Yet Another “People Plug in Strange USB Sticks” Story (schneier.com)
- LulzSec Laughs Last (censorshipinamerica.com)
- Burnish your blacklists to patrol internet access (go.theregister.com)
- Is the term ‘Internet Security’ or ‘Secure Server’ a myth? (starbaseone2.wordpress.com)